VLAN1

VLAN10

Internet-Access
DMZ-Out
Web-server-access

system settings
NTP

get router info routing-table details 10.1.10.100

diag firewall iprope lookup 10.1.10.100 12123 1.1.1.2 80 tcp VLAN10

diag firewall iprope lookup 10.1.20.100 12123 1.1.1.2 80 tcp VLAN20

diag firewall iprope lookup 10.1.20.100 12123 1.1.1.2 80 tcp VLAN20

diagnose firewall iprope lookup 10.1.20.100 8 1.1.1.2 0 icmp VLAN20

diagnose firewall iprope lookup 10.1.1.100 8 1.1.1.2 0 icmp VLAN100

diag firewall iprope lookup 1.1.1.2 12123 1.1.1.5 80 tcp port1

execute log display

execute log display filter dump
execute log display filter dump
execute log filter free-style "(srcip 1.1.1.2) and (dstip 1.1.1.5)"
execute log filter free-style "(srcip 1.1.1.2) and (dstip 1.1.1.5)"

VDOM
two modes - split task & multi vdom
accounts - assigned to vdom with profile
admin-root -> vdom root -> profile prof-admin
admin-fw2 -> vdom fw2 -> profile prof-admin
admin -> vdom global -> profile super_admin -- > all vdom full access
interfaces assigned from global, policy + nat ect config individually
vdom link - > on the backplane connects vdom in a box , l3 interface
npu vdom link , hw processor

Transparent
Bridging with FW policy
1) make whole box in transparent mode 2) virtual wire allows TR but box in L3 mode

HA
same model + HW + SW + License + connections
FGCP
Heartbeat link - Exchanges hello , sync state+RT+ARP etc & config
TCP port 23 is used by FGCP for configuration synchronisation. also can enable
udp/icmp state sync.
add primary fw in ha , priority 200. factory reset secondary & ensure same model,
sw, transparent or nat mode, vdom mode etc and apply ha config with priority 100.
less down interfaces then high up time then pririty and finally s/n.
 restart primary , secondary takes over and no pre-emption. system uptime is also
considered choosing
active
reserve mgmt ip to individually manage fw in cluster, no virtual mac , physical
mac.
only clustered interface should be used to register with forti mgt or analyzer.
config not sync - mgmt int ip,

PKCS12 -> certificate , child cert + all keys

for outbound ssl , use policy based firewall policy then apply ssl profile
make devices trust CA 1) Import "CA cert" & add rootcert of CA internal 2) PC 3)
browsert

www.fortigaurd.com to search category of website

FG Allow/monitor/block/warning/authenticate
override 1) web profile change override 2) web category/rating change override

DNS filtering - Read DNS response & allow/deny. enforce safe search , block
C&C/botnet , certain IPs , external IP list, DNS translation, categories of dns
db has list of botnet-domain , botnet-ips list
allow, monitor,redirect to portal

Application
1) license , uses IPS engine. uses app DB
2) execute update now
accept, block, monitor,quarantine ( block ip for sometime)
application overide - block youtube,
application filter - category like video/audio

Fortimanager : -
Why - managed service provide , many FW 1) mass provisioning 2) config 3)
track/audit changes
Cloud a license feature + Appliance + VM
1.centralized config manage
2.ADOMs . one group of admin full access, admin group x to a set of firewall etc
3.local provisioing (FDN ) - save bw, delays - updates AV,IPS, web , email
filtering etc are centralized
4.firmware upgrade
5.sctipting to some fw
6.logging and reporting

FM - FAZ
FM can also act as FAZ but require additional resource + limited log/report
FM can manage FAZ ( store log) and generate report
conf sys interface
edit port1
set ip 192.168.1.x/24
end
conf

diagnose dvm adom list

diagnose system admin-session list